Edgerouter x ipsec site to site

本帖最後由 hkcwnet 於 2016-12-17 11:41 編輯

用一對 Edgerouter x , set 左 IPSEC site to site

再行 wd my cloud  @ OMV  rsync  去 Qnap TS-212.

大概 行到 28 MBytes/s

唔知是否 正常


VPN setting
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer siteA.ddns.net authentication id 'fqdn:siteB.ddns.net'
set vpn ipsec site-to-site peer siteA.ddns.net authentication mode pre-shared-secret
set vpn ipsec site-to-site peer siteA.ddns.net authentication pre-shared-secret hkepcvpn
set vpn ipsec site-to-site peer siteA.ddns.net authentication remote-id 'fqdn:siteA.ddns.net'
set vpn ipsec site-to-site peer siteA.ddns.net connection-type initiate
set vpn ipsec site-to-site peer siteA.ddns.net description ''
set vpn ipsec site-to-site peer siteA.ddns.net ike-group FOO0
set vpn ipsec site-to-site peer siteA.ddns.net ikev2-reauth inherit
set vpn ipsec site-to-site peer siteA.ddns.net local-address any
set vpn ipsec site-to-site peer siteA.ddns.net tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer siteA.ddns.net tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer siteA.ddns.net tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer siteA.ddns.net tunnel 1 local prefix 192.168.200.0/24
set vpn ipsec site-to-site peer siteA.ddns.net tunnel 1 remote prefix 192.168.100.0/24

firewall setting
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description 'Allow IPSEC IKE'
set firewall name WAN_LOCAL rule 20 destination port 500
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol tcp_udp
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Allow IPSEC NAT-T'
set firewall name WAN_LOCAL rule 30 destination port 4500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description 'Allow IPSEC ESP'
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description 'Allow icmp'
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol icmp
set firewall name WAN_LOCAL rule 70 action accept
set firewall name WAN_LOCAL rule 70 description lan
set firewall name WAN_LOCAL rule 70 destination address 192.168.200.0/24
set firewall name WAN_LOCAL rule 70 log disable
set firewall name WAN_LOCAL rule 70 protocol all
set firewall name WAN_LOCAL rule 70 source address 192.168.100.0/24
set firewall name WAN_LOCAL rule 80 action drop
set firewall name WAN_LOCAL rule 80 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 80 state invalid enable
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

IPSec 28Mbytes/S已經係好快嘅速度.

TOP

回覆 2# Brainstomer


我以為 系 NAS 速度 問題

TOP

應該係 28 Mbit per sec ,
得3.5M /S

TOP

IPsec 有加密,這速度已經很理想。。。

TOP

應該係 28 Mbit per sec ,
得3.5M /S
hkcwnet 發表於 2016-12-17 16:11

要加密快應該用x86

TOP

相關文章